Your message dated Sat, 16 Feb 2019 11:36:33 +0000 with message-id <1550316993.21192.50.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in 9.8 has caused the Debian Bug report #913801, regarding stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 913801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913801 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu Dear release team, The security team doesn't wish to do a DSA for this CVE, and asked me to deal with it with the release team. Here's the CVE description: CVE-2018-16849: std.ssh action may disclose presence of arbitrary files, applied upstream patch: remove extra information from std.ssh action. (Closes: #912714). Debdiff is attached. Please allow me to upload the fix to Stretch. Cheers, Thomas Goirand (zigo)diff --git a/debian/changelog b/debian/changelog index b2ce8602..06234034 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +mistral (3.0.0-4+deb9u1) stretch-security; urgency=medium + + * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files, + applied upstream patch: remove extra information from std.ssh action. + (Closes: #912714). + + -- Thomas Goirand <z...@debian.org> Mon, 05 Nov 2018 14:38:44 +0100 + mistral (3.0.0-4) unstable; urgency=medium * Add allow-sqla-1.1.patch to allow SQLA transition. diff --git a/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch b/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch new file mode 100644 index 00000000..af601bbf --- /dev/null +++ b/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch @@ -0,0 +1,29 @@ +Description: CVE-2018-16849: Remove extra information from std.ssh action + The ssh error message can lead to information leak. + Removing the extra ssh message effects only the CLI call, + the full message is still being logged +Author: apetrich <petr...@gmail.com> +Date: Mon, 3 Sep 2018 14:00:22 +0200 +Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6 +Bug-Ubuntu: https://launchpad.net/bugs/1783708 +Bug-Debian: https://bugs.debian.org/912714 +Origin: upstream, https://review.openstack.org/601214 +Last-Update: 2018-11-05 + +Index: mistral/mistral/actions/std_actions.py +=================================================================== +--- mistral.orig/mistral/actions/std_actions.py ++++ mistral/mistral/actions/std_actions.py +@@ -358,8 +358,11 @@ class SSHAction(base.Action): + def raise_exc(parent_exc=None): + message = ("Failed to execute ssh cmd " + "'%s' on %s" % (self.cmd, self.host)) ++ # We suppress the actual parent error messages in favor of ++ # more generic ones as we might be leaking information to the CLI + if parent_exc: +- message += "\nException: %s" % str(parent_exc) ++ # The full error message needs to be logged regardless ++ LOG.exception(message + " Exception: %s", str(parent_exc)) + raise exc.ActionException(message) + + try: diff --git a/debian/patches/series b/debian/patches/series index 7f9d7ed2..5017dfe7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ allow-sqla-1.1.patch +CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
--- End Message ---
--- Begin Message ---Version: 9.8 Hi, The update referenced by each of these bugs was included in this morning's stretch point release. Regards, Adam
--- End Message ---
